Just one day after a little-known hacker dazzled his peers by exploiting the latest version of Internet Explorer 8 beta, Microsoft added an important protection to the browser that probably would have prevented the attack.

The measure, which was added to last Thursday’s final release of IE8, restores so-called ASLR, or address space layout randomization, and DEP, or data execution prevention, to the Microsoft browser. Microsoft has more about that here. Continue reading →

Gains made by Internet Explorer 8 (IE8) since its launch last Thursday have come at the expense of the older IE7, according to data from Irish metrics firm StatCounter.

And while IE7’s market share has fallen by 2.6 percentage points since last Wednesday, the day before Microsoft Corp. released IE8, most rival browsers showed significant gains, giving credence to the idea that Microsoft’s newest venture has not pushed users of its competitors to switch. Continue reading →

The Pwn2Own competition, which is held every year to challenge hackers and security experts to find vulnerabilities in web browsers and mobile devices, has taken its usual share of victims with one surprise survivor during its first day.

Targeted browsers included Microsoft’s Internet Explorer 8, Mozilla’s Firefox, and Google’s Chrome, running on a Sony Vaio notebook running Windows 7 as well as Safari and Firefox on a Macbook running OS X.

TippingPoint’s 3rd annual Pwn2Own contest has already shown significant security breaches on Apple’s Safari, Mozilla’s Firefox and Microsoft’s Internet Explorer 8, but Google’s Chrome was the only browser that made it through the first day of testing this year.

One of the contestants, Nils was able to exploit the latest Internet Explorer 8 which was released just few days back. The blogosphere and news websites picked it up and very soon it became a hot news around. When people were worried about IE8’s security, MSRC (Microsoft Security Response Center) had already reproduced and validated the IE8 vulnerability in less than 12 hours.

Microsoft is expected to release a security patch for this vulnerability very soon. It is infact surprising to see that IE team acted so fast even when they were busy at MIX09!

Microsoft’s Internet Explorer 8 (IE8) received a small bump in market share Thursday as the company launched the final version mid-day, according to Web measurement company Net Applications.

IE8’s market share averaged 1.63% for the day Thursday from noon Eastern time onwards — when Microsoft posted the new browser for download — a 21% increase over March’s daily average of 1.35% through Wednesday. Net Applications has posted hourly market share numbers for IE8 on its Web site.

The browser’s share climbed again Friday, to an hourly average of 1.75% through 11:00 a.m. ET, bringing IE8’s total increase to 30% over the month’s daily average.

Even with that kind of increase, Vince Vizzaccaro, Net Applications’ executive vice president of marketing, was critical of Microsoft’s low-key launch. “I was a little surprised that there wasn’t any advanced warning,” said Vizzaccaro, “and no marketing push from Microsoft about IE8. At the minimum there should have been something for IE users that popped up and said ‘there’s an upgraded browser available … download it.'”

IE8’s market share climbed above the 1% mark for the first time last month, when it accounted for 1.2% of all browsers used. That boost had been fueled by the last January launch of the browser’s release candidate.

By comparison, Google’s Chrome, which debuted last September, had a 1.15% market share during February, while Mozilla’s Firefox — IE’s biggest rival — owned 21.77% of the business.

“Chrome got off to a fast start,” said Vizzaccaro, “but it really hasn’t moved much since then. And they had a low-key approach when they launched it, too. On the other hand, Mozilla made lots of noise about Firefox 3.0, with a special download day, and they got millions to download it.

“Microsoft is doing the same thing that they’ve done with browsers in the past, but that didn’t work for Chrome,” Vizzaccaro said. “If I were Microsoft, I would do something more on the Mozilla model. I’d be a lot more optimistic [about IE8’s chances] if there was a large public announcement that it was available.”

Microsoft debuted the final edition of IE8 for Windows XP, Vista, Server 2003 and Server 2008 Thursday, upgrading the browser for first time in two-and-a-half years.

Overall, Internet Explorer controls 67.5% of the browser market, according to Net Applications’ numbers, which are collected from the systems that surf to some 40,000 sites that the company tracks for clients. Almost three out of every four IE users run 2006’s IE7, while nearly all of the remainder run the even older IE6.

Currently, IE8 is available only as a manual download from Microsoft’s main download center and the IE8 page. The company will begin automatically installing the new browser on machines now running IE6 or IE7 at some unspecified future date, at which point its market share will undoubtedly climb.

Charlie Miller defends his title; IE8 also falls on Day 1 of hacking contest

March 18, 2009 (Computerworld) Charlie Miller, the security researcher who hacked a Mac in two minutes last year at CanSecWest’s PWN2OWN contest, improved his time today by breaking into another Mac in under 10 seconds.

Miller, a principal analyst at Independent Security Evaluators LLC, walked off with a $5,000 cash prize and the MacBook he hacked.

“I can’t talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched,” said Miller Wednesday not long after he had won the prize. “It probably took 5 or 10 seconds.” He confirmed that he had researched and written the exploit before he arrived at the challenge.

The PWN2OWN rules stated that the researcher could provide a URL that hosted his or her exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. “I gave them the link, they clicked on it, and that was it,” said Miller. “I did a few things to show that I had full control of the Mac.”

PWN2OWN’s sponsor, 3Com Inc.’s TippingPoint unit, paid Miller the $5,000 for the rights to the vulnerability he exploited and the exploit code he used. As it has at past challenges, it reported the vulnerability to on-site Apple representatives. “Apple has it, and they’re working on it,” added Miller.

According to Terri Forslof, the manager of security response at TippingPoint, another researcher later broke into a Sony laptop that was running Windows 7 by exploiting a vulnerability in Internet Explorer 8. “Safari and IE both went down,” she said in an e-mail.

TippingPoint’s Twitter feed added a bit more detail to Forslof’s quick message: “nils just won the sony viao with a brilliant IE8 bug!”

Forslof was not immediately available to answer questions about the IE8 exploit.

TippingPoint will continue the PWN2OWN contest through Friday, and will pay $5,000 for each additional bug successfully exploited in Apple Inc.’s Safari, Microsoft Corp.’s Internet Explorer 8, Mozilla Corp.’s Firefox or Google Inc.’s Chrome. During the contest, IE8, Firefox and Chrome will be available on the Sony, while Safari and Firefox will be running on the MacBook. The researcher who exploited IE8 will, like Miller, be awarded not only the cash, but also the laptop.

“It was great,” said Miller when asked how it felt to successfully defend his title. “But I was really nervous for some reason this time. Maybe it was because there were more people around. Lucky [the exploit] was idiot-proof, because if I had had to think about it, I don’t know if I’d had anything.”

This year’s PWN2OWN also features a mobile operating system contest that will award a $10,000 cash prize for every vulnerability successfully exploited in five smartphone operating systems: Windows Mobile, Google’s Android, Symbian, and the operating systems used by the iPhone and BlackBerry.

Miller said he won’t enter the mobile contest. “I can’t break them,” said Miller, who was one of the first researchers to demonstrate an attack on the iPhone in 2007, and last year was the first to reveal a flaw in Android. “I don’t have anything for the iPhone, and I don’t know enough about Google.”